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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent temn adjustment. See 37 CFR 1.704(b). 

Status 

1)S Responsive to connmunication(s) filed on 21 November 2005 . 
2a)\3 This action is FINAL. 2b)S This action is non-final. 

3) 0 Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) |EI Claim(s) 1,2,4,5,7,8,12-14,16.17,19, 20. 24-26, 28. 29,31. 32 and 36 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) 0 Claim{s) is/are allowed. 

6) 13 Claim(s) 1,2.4,5, 7,8,12-14.16,17.19,20,24-26.28.29.31,32 and 36 is/are rejected. 
?)□ Claim{s) is/are objected to. 

8) 0 Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) 0 The specification is objected to by the Examiner. 

10) ^ The drawing(s) filed on 21 November 2005 is/are: a)K accepted or b)n objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) 0 The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 
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application from the International Bureau (PCT Rule 17.2(a)). 
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DETAILED ACTION 

Claims 1-2.4-5,7-8.12-14,16-17.19-20,24-26.28-29,31-32. and 36 have been considered. 

Continued Examination Under 37 CFR 1.114 

5 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 

1.17(e), was filed in this application after final rejection. Since this application is eligible for continued 
examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the 
finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's 
submission filed on 1 1/21/05 has been entered. 

10 

Claim Rejections - 35 (JSC §103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

15 (a) A patent may not be obtained though the invention is not identically disclosed or described as 

set forth in section 102 of this title, if the differences between the subject matter sought to be 
patented and the prior art are such that the subject matter as a whole would have been obvious 
at the time the invention was made to a person having ordinary skill in the art to which said 
subject matter pertains. Patentability shall not be negatived by the manner in which the invention 

20 was made. 

Claims 1-2,4-5.7-8,12-14,16-17,19-20.24-26,28-29,31-32, and 36 are rejected under 35 U.S.C. 
103(a) as being unpatentable over Yann, U.S. Patent Application Publication No. 2002/0078368, in view 
25 of Risch, U.S. Patent No. 5,471,629, in further view of Chambers. U.S. Patent No. 5,398,196. 

As per claims 1,13, and 25, the applicant describes a method of detecting a computer virus 
comprising the following limitations which are met by Yann in view of Risch in further view of Chambers: 
a) analysis logic operable to analyse program instructions forming said executable computer 
30 program to identify suspect program instructions forming said executable computer program to identify 
suspect program instructions being one or more of: 
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i) a program instruction generating a result value not used by another portion of said 
executable computer program; 

ii) a program instruction dependent upon an uninitialised variable (Yann: [0030]); 

b) detecting logic for detecting said executable computer program as containing a computer virus 
5 if a number of suspect program instructions identified for said executable computer program exceeds a 

threshold level (Yann: [0030]; [0016]); 

c) wherein said analysis logic includes a dependency table indicating a dependency between 
state variables within said computer and loaded variable values, and for each program instruction said 
analysis logic makes a determination as to which state variables are read and written by that program 

10 instruction and for each loaded variable value within said dependence table if any state variable read by 
that program instruction is marked as dependent upon said loaded variable value, then all state variables 
written by that program instruction are marked as dependent upon said loaded variable value with 
previous dependencies being cleared (Yann: [0030], [0034]; Risch: Col 10, lines 28-51); 

d) analysis logic parses said executable computer program for suspect program instructions by 
15 following execution flow and upon occurrence of a branch first following a first branch path having saved 

pending analysis results and subsequently returning to follow a second branch path having restored said 
pending analysis results (Chambers: Col 11, lines 34-45); 

e) wherein a state variable is marked as initialized upon occurrence of one of: 
(i) a write to said state variable of a determined initialized value; 

20 (ii) use of said state variable as a memory address value by a program instruction (Yann: [0034]); 

f) wherein a branch path stops being followed when one of the following occurs: 

(i) there are no further suitable program instructions for execution within that branch path 
(Chambers: Col 11, lines 34-45); 

(ii) said branch path rejoins a previously parsed execution path (Chambers: Col 11, lines 34-45); 
25 Yann discloses a method of detecting viral code, such as polymorphic viral code, which 

recognizes that computer viruses, and particularly polymorphic viruses, often contain redundant or 
ridiculous code. Yann exploits this recognition by analyzing the level of redundant or ridiculous code 
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usage to determine whether a polymorphic virus is present (see, for example, Yann: [0030]-[0036]). In 
particular, Yann discloses both analysis logic to identify suspect program instructions (part a) and 
detecting logic to detect a virus if a number of suspect program instructions exceeds a threshold level 
(part b). Furthermore, Yann teaches that if a value in a register/flag is employed by a CPU instruction, 
5 the register/flag is marked as "used", and, upon occurrence of a write to a register/flag of a determined 
value, a register/flag is marked as "set" (part e). Thus, Yann meets the limitations of parts a,b, and e. 

Yann also discloses the limitation of part c with the exception that Yann is silent as to the 
monitored data being stored in a table. Risch teaches the well-known idea that data may be stored in a 
table. It would have been obvious to one or ordinary skill in the art at the time the invention was filed to 

10 combine the ideas of Risch in view of Yann and store data in a table because doing so provides a 
convenient way for a system to store and monitor data. 

Yann in view of Risch disclose all the limitations of parts a,b,c, and e. However, Yann in view of 
Risch fail to disclose parts d and f. Chambers discloses a method of detecting a virus. More specifically, 
Chambers teaches following execution flow and upon occurrence of a branch first following a first branch 

15 path having saved pending analysis results and subsequently returning to follow a second branch path 
having restored said pending analysis results. It would have been obvious to one of ordinary skill in the 
art at the time the invention was filed to combine the ideas of Chambers with those of Yann in view of 
Risch because doing so makes the system more robust and secure by providing additional means to 
determine viral code. 

20 

As per claims 2,14, and 26, the applicant describes the computer program product of claims 1,13, 
and 25, which are met by Yann in view of Risch in further view of Chambers, with the following limitation 
which is also met by Yann: 

Wherein said computer virus is a polymorphic computer virus ([0030]). 



25 
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As per claims 4,16, and 28, the applicant describes the computer program product of claims 1,13, 
and 25. which are met by Yann in view of Risch in further view of Chambers, with the following limitation 
which is also met by Yann: 

Wherein for each program instruction said analysis logic is operable to make a determination as 
5 to which state variables are read by that program instruction ([0034]); 

The applicant should note that the variables read by the program instruction are labeled as being 
in a "used" state. The applicant should also note that program instructions are evaluated on a one-by-one 
basis ([0031]). 



10 As per claims 5,17, and 29, the applicant describes the computer program product of claims 1,13, 

and 25, which are met by Yann in view of Risch in further view of Chambers, with the following limitation 

which is also met by Yann: 

Wherein for each program instruction said analysis logic is operable to make a determination as 

to which state variables are written by that program instruction ([0035]); 
15 The applicant should note that the variables written by the program instruction are labeled as 

being in a "set" state. 



As per claims 7,19, and 31, Yann discloses the computer program product of claims 3,15, and 27, 
which are met by Yann in view of Risch in further view of Chambers, with the following additional 
20 limitation which is also met by Yann: 

Wherein said state variables include one or more of: 

(i) register values; 

(ii) processing result flag values; 

(iii) a flag indicative of a write to a non-register storage location ([0034]). 



25 
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As per claims 8,20, and 32, the applicant describes the computer program product of claims 1,13, 
and 25, which are met by Yann in view of Risch in further view of Chambers, with the following limitation 
which is also met by Yann: 

Wherein said analysis logic is operable to maintain an initialization table indicating which state 
5 variables have been initialized ([0033],[0034], and 24 of Fig 2); 

Uninitialized variables are labeled "undefined". Initialized variables are labeled as "set" if written 
to or "used" if in a used state. 

As per claims 12,24. and 36, the applicant describes the computer program product of claims 
10 1,13, and 25, which are met by Yann in view of Risch in further view of Chambers, with the following 
additional limitation which is also met by Yann: 

Wherein if said threshold level is exceed, then further virus detection mechanisms are triggered to 
confirm the presence of a computer virus ([0016]). 

1 5 Response to Arguments 

Applicant's arguments, see Remarks, filed 1 1/21/05, with respect to the Drawings have been fully 
considered and are persuasive. The objection of the Drawings has been withdrawn. 

Applicant's arguments with respect to the 103(a) rejection of claim 1 under Yann in view of Risch 
20 in further view of Nachenberg have been fully considered but are moot in view of the new grounds. 

Conclusion 

This action is made non-final. Any inquiry concerning this communication or earlier 
communications from the examiner should be directed to Kevin Schubert whose telephone number is 
25 (571) 272-4239. The examiner can normally be reached on M-F 7:30-6:00. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Emmanuel Moise can be reached on (571) 272-3865. The fax phone number for the organization where 
this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
5 Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto,gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) 
at 866-217-9197 (toll-free). 
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